Let's say that Microsoft has stopped supporting Windows Server 2003 now so there is no any security updates and I use that system for Domain Controller (Windows XP/7 Professional Clients) and File Server only. I'm using ESET NOD23 AntiVirus.

I don't surf the Internet on that system nor I will install/open any programs/documents and that server is connected to router without any open ports.

What are the security risks in keeping this system running with no more security updates?

On July 14, 2015, all Windows 2003 support, including security updates and security-related hotfixes, will be terminated.

2 Answers
2

First of all, never assume that if a system doesn't directly contact the internet that it is safe from malware infection as other systems becoming infected can spread it throughout a network.

Second, new vulnerabilities are still being found on unsupported OSes, meaning that even if your 2003 server is fully up to date at the time support ends it will be vulnerable to known attacks within days or weeks that will forever remain unpatched.

Third, today's malware packages tend to be designed with many possible exploits in mind, so one that infected a windows 7 may be able to attack 2003 systems, linux, mac, etc with ease.

Fourth, your domain controller/file/print server is the most contacted system in your entire infrastructure, and one of the most vital as controlling it gives an attacker a great deal of power. A malware-infected system brought in from the outside will likely target the domain controller and, having taken control of it, will then control your entire infrastructure.

Having your critical infrastructure on an outdated, unsupported OS is a bad idea.

Maybe. While you say you do not browse from the system nor does it communicate with the internet, there are a number of other possible scenarios to contend with:

That the system is already compromised, making this discussion moot. Unlikely, but still possible.

That the system can be attacked from compromised hosts on your internal network.

The type of attacker you are defending against; e.g. a determined targeted attack ("advanced persistent threat") or a scattergun approach.

Whether the second point holds really depends on your configuration and whether any holes exist in the OS once it reaches end of life. If there are, these will not be fixed.

Whether these holes can be exploited really depends on the type of attack. An automated scattergun-type malware might optionally attempt to scan for known vulnerable systems and try to compromise those too. Or it may miss them, on the basis of no longer considering them viable due to dwindling install numbers.

A targeted attack is likely to be different. If I was looking at how to attack your system, and I had knowledge of this box running beyond-the-grave-software, I'd be cackling like Borris from goldeneye (pleased, basically). The reason for this is simple: if I can find a hole on this box, I know it won't be patched. I no longer have to deliver an exploit within a certain Window - I can simply compromise at will. Got any other systems on the same platform? Great, I can attack those too. Even if you re-install, I can re-infect - because plugging the hole will not happen.

As such, I'd tend to err on the side of saying no, it's not secure. There's a lot of 'if's in that assumption, and a lot of adjustment depending on the risks you believe you face, but given the machine is a fairly critical one, I'd update.